Harry Hoffman wrote: > root password hash is a bad idea! cobbler doesn't really protect those > directories and if the errant badguy would able to download the hash > they might be able to get the password through rainbow tables or brute > force. > > what we do for our local users is use apg to create a default new > password. We drop the plaintext version of this in their homedir and > ensure it's chmod 600 chown user.user > > something along these lines might be a bit better. > > Cheers, > Harry >
We could perhaps generate one on an install by install basis (using the magic of Cheetah), but we also then need to store that in cobbler in a way that is retrievable by the admin so they can know it if they need to log in. Cobbler's storage is read-only for this, so that is suboptimal. Of course a user can, if they so wish, modify the password in %post. It's hard to pick something that is good for everyone that still works cleanly for fully automated installs without a lot of extra setup and confusion. So right now the docs say "run cobbler check" and that will warn you about the default. Naturally the passwords are readable, but it's a hash, and there is a well known tradeoff between the ability to automate a deployment that is administerable and the security of that deployment. Files deployed are by their very nature public, but if the user wants to scramble passwords in %post, that's fair game. However apg is not in RHEL. If we were to tighten permissions on Cobbler state files and make it impossible to retrieve the password stored in cobbler via XMLRPC, we could do per-system root password generation as an option, though that's a pretty major RFE that we'd probably need to look at for 1.4 Much of this is more of a documentation item as each site will have their own preferences. --Michael > > On Thu, 2008-10-16 at 19:41 +0200, Javier Palacios wrote: > >>> A future idea for /usr/bin/cobbler setup is probably to ask the user >>> what they want the default password for the sample kickstarts to be and >>> then add that to the sample kickstarts. >>> >> Ask for password does not match well with rpm install. >> What about just take the hash from /etc/shadow from an existing user? >> (either a cobbler user or simply root) >> >> JaviP >> _______________________________________________ >> cobbler mailing list >> [email protected] >> https://fedorahosted.org/mailman/listinfo/cobbler >> > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler > _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
